Merge pull request #7056 from jf205/sarif-query-help

jf205 · web-flow · commit 1bacce487e8e · 2021-11-09T10:19:29.000Z
Add new option to database analyze tutorial
diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -63,6 +63,11 @@ You can also specify:
   language to the GitHub code scanning API. For more information about this use case,
   see `Configuring CodeQL CLI in your CI system <https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system>`__ in the GitHub documentation.
 
+- ``--sarif-add-query-help``: (supported in version 2.7.1 onwards) adds any custom query help written 
+   in markdown to SARIF files (v2.1.0 or later) generated by the analysis. Query help stored in ``.qhelp`` files must be 
+   converted to ``.md`` before running the analysis. For further information, 
+   see ":ref:`Including query help for custom CodeQL queries in SARIF files  <including-query-help-for-custom-codeql-queries-in-sarif-files>`."
+
 - .. include:: ../reusables/threads-query-execution.rst
 
 
@@ -201,6 +206,29 @@ A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures
 that the results are formatted according to the most recent SARIF specification
 supported by CodeQL.
 
+.. _including-query-help-for-custom-codeql-queries-in-sarif-files: 
+
+Including query help for custom CodeQL queries in SARIF files 
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you use the CodeQL CLI to to run code scanning analyses on third party CI/CD systems,
+you can include the query help for your custom queries in SARIF files generated during an analysis.
+After uploading the SARIF file to GitHub, the query help is shown in the code scanning UI for any 
+alerts generated by the custom queries. 
+
+From CodeQL CLI 2.7.1 onwards, you can include markdown-rendered query help in SARIF files 
+by providing the ``--sarif-add-query-help`` option when running
+``codeql database analyze``. 
+For more information, see `Configuring CodeQL CLI in your CI system <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`
+in the GitHub documentation.
+
+You can write query help for custom queries directly in a markdown file and save it alongside the
+corresponding query. Alternatively, for consistency with the standard CodeQL queries, 
+you can write query help in the ``.qhelp`` format. Query help written in ``.qhelp`` 
+files can't be included in SARIF files, and they can't be processed by code
+scanning so must be converted to markdown before running 
+the analysis. For more information, see ":ref:`Query help files <query-help-files>`" 
+and ":doc:`Testing query help files <testing-query-help-files>`."
 
 Results
 -------
diff --git a/docs/codeql/codeql-cli/testing-query-help-files.rst b/docs/codeql/codeql-cli/testing-query-help-files.rst
@@ -15,6 +15,10 @@ in the CodeQL repository.
 The CodeQL CLI includes a command to test query help and render the content as 
 markdown, so that you can easily preview the content in your IDE. Use the command to validate 
 query help files before uploading them to the CodeQL repository or sharing them with other users. 
+From CodeQL CLI 2.7.1 onwards, you can also include the markdown-rendered query help in SARIF files 
+generated during CodeQL analyses so that the query help can be displayed in the code scanning UI. 
+For more information, see 
+":ref:`Analyzing databases with the CodeQL CLI <including-query-help-for-custom-codeql-queries-in-sarif-files>`."
 
 Prerequisites
 -------------
diff --git a/docs/codeql/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow.rst b/docs/codeql/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow.rst
@@ -10,7 +10,6 @@ A typical data-flow query looks like this:
 
 .. code-block:: ql
 
-::
 
     class MyConfig extends TaintTracking::Configuration {
       MyConfig() { this = "MyConfig" }
@@ -79,7 +78,8 @@ To avoid these problems, a data-flow ``Configuration`` comes with a mechanism fo
        */
       final predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
 
-As noted in the documentation for ``hasPartialFlow`` (for example, in the `CodeQL for Java documentation <https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/internal/DataFlowImpl2.qll/predicate.DataFlowImpl2$Configuration$hasPartialFlow.3.html>__`) you must first enable this by adding an override of ``explorationLimit``. For example:
+As noted in the documentation for ``hasPartialFlow`` (for example, in the 
+`CodeQL for Java documentation <https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/internal/DataFlowImpl2.qll/predicate.DataFlowImpl2$Configuration$hasPartialFlow.3.html>`__) you must first enable this by adding an override of ``explorationLimit``. For example:
 
 .. code-block:: ql
 
diff --git a/docs/codeql/writing-codeql-queries/query-help-files.rst b/docs/codeql/writing-codeql-queries/query-help-files.rst
@@ -40,6 +40,13 @@ Query help files are written using a custom XML format, and stored in a file wit
 The header and single top-level ``qhelp`` element are both mandatory. 
 The following sections explain additional elements that you may include in your query help files.
 
+.. pull-quote::
+
+   Code scanning does not process ``.qhelp`` files for custom CodeQL queries, so to show 
+   query help for custom queries in the code scanning UI you must convert the ``.qhelp`` files to markdown 
+   and then include the markdown-rendered query help in SARIF files generated during an analysis.
+   For more information, see 
+   ":ref:`Analyzing databases with the CodeQL CLI <including-query-help-for-custom-codeql-queries-in-sarif-files>`." 
 
 Section-level elements
 ======================
